A critical zero‑day vulnerability in Gemini MCP Tool exposes users to remote code execution (RCE) attacks without any authentication.
Tracked as ZDI‑26‑021 / ZDI‑CAN‑27783 and assigned CVE‑2026‑0755, the flaw carries a maximum CVSS v3.1 score of 9.8, reflecting its ease of exploitation and severe impact.
According to a new advisory from Trend Micro’s Zero Day Initiative (ZDI), the issue affects the open‑source gemini-mcp-tool, a utility designed to integrate Gemini models with Model Context Protocol (MCP) services.
Vulnerability Overview
Both the vendor and product are listed as Gemini MCP Tool / gemini-mcp-tool in the advisory. At the core of the vulnerability is the improper handling of user‑supplied input in the execAsync method.
This function passes input directly into a system call without adequate validation or sanitization.
A remote attacker can exploit this command injection weakness to execute arbitrary code on the underlying system, running with the privileges of the service account.
| Field | Information |
|---|---|
| CVE ID | CVE-2026-0755 |
| 0‑Day Name | gemini-mcp-tool execAsync Command Injection RCE Vulnerability |
| CVSS v3.1 Score | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| Affected Product | gemini-mcp-tool |
| Impact | Remote, unauthenticated arbitrary code execution |
Because the attack vector is network‑based and requires no prior authentication or user interaction, internet‑exposed or shared environments are at particularly high risk.
The vulnerability was originally reported to the vendor on July 25, 2025, via a third‑party platform.
ZDI followed up for updates in November 2025 and, after receiving no sufficient response, informed the vendor on December 14, 2025 of its intention to publish the case as a zero‑day advisory.
The coordinated public disclosure and advisory update occurred on January 9, 2026.
At the time of publication, no official patch or update has been documented. As a result, mitigation options are limited.
ZDI recommends strictly restricting access to the Gemini MCP Tool by ensuring it is not directly exposed to the internet and limiting interaction to trusted networks and users.
Administrators should also monitor systems running gemini-mcp-tool for suspicious process execution and unusual outbound connections that could indicate successful exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
